my computer is crazy, HijackThis Logs and Malware Removal

[ula]

Some stuff were installed automatically on my pc. I don't know what is that. One is called Best ZOO P o r n, the other MS Antivirus.So can you help me with these things?

[Calorina]

Hello and welcome to registrycleanerz forum!I am going to help you with this problem. Follow my guideline exactly. And we are going to deal with this stuff very easily.

Go and download HijackThis (free analytical tool) and post the support log in this forum so I can have a look.
http://www.download.com/Trend-Micro-Hij ... 27353.html

Super Technical Nerd - Calorina

[ula]

This is my HiJackThis Log file. So I am waiting for further recommendations.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:30:32 PM, on 12/6/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\TeamViewer\Version4\TeamViewer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Test\Local Settings\Application Data\qip\QuickInstallPack.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/
O2 - BHO: CodecPlugin Class - {9CD70E31-074D-4C61-8063-98FCE57E6A10} - C:\WINDOWS\System32\CodecBHO.dll
O2 - BHO: iercptbho - {D4CDC21D-43BE-4101-A1EF-E379F134771E} - C:\Documents and Settings\Test\Local Settings\Application Data\qip\iercpt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [lphcj7cj0ea59] C:\WINDOWS\System32\lphcj7cj0ea59.exe
O4 - HKLM\..\Run: [SMrhcn7cj0ea59] C:\Program Files\rhcn7cj0ea59\rhcn7cj0ea59.exe
O4 - HKLM\..\Run: [PersonalAntiSpy Free] "C:\Program Files\PersonalAntiSpy Free\pas.exe" /min
O4 - HKLM\..\Run: [PASMonitor] "C:\Program Files\Common Files\PersonalAntiSpy\pbm.exe" dm=http://personalantispy.com;http://load.personalantispy.com ad=http://personalantispy.com;http://load.personalantispy.com sd=http://log.personalantispy.com
O4 - HKLM\..\Run: [upascw] C:\Program Files\PersonalAntiSpy Free\upascw.exe -c
O4 - HKLM\..\Run: [SecureExpertCleaner] C:\Program Files\SecureExpertCleaner\sec.exe
O4 - HKLM\..\Run: [Reminder] C:\Program Files\SecureExpertCleaner\Reminder.exe
O4 - HKLM\..\Run: [\YUR13.exe] C:\Windows\system32\YUR13.exe
O4 - HKLM\..\Run: [\YUR14.exe] C:\Windows\system32\YUR14.exe
O4 - HKLM\..\Run: [\YUR15.exe] C:\Windows\system32\YUR15.exe
O4 - HKLM\..\Run: [\YUR16.exe] C:\Windows\system32\YUR16.exe
O4 - HKLM\..\Run: [ANTIVIRUS] C:\Program Files\VAV\vav.exe
O4 - HKLM\..\Run: [\YUR24.exe] C:\Windows\system32\YUR24.exe
O4 - HKLM\..\Run: [\YUR3.exe] C:\Windows\system32\YUR3.exe
O4 - HKLM\..\Run: [\YUR4.exe] C:\Windows\system32\YUR4.exe
O4 - HKLM\..\Run: [\YUR5.exe] C:\Windows\system32\YUR5.exe
O4 - HKLM\..\Run: [\YUR6.exe] C:\Windows\system32\YUR6.exe
O4 - HKLM\..\Run: [\YURB.exe] C:\Windows\system32\YURB.exe
O4 - HKLM\..\Run: [\YURC.exe] C:\Windows\system32\YURC.exe
O4 - HKLM\..\Run: [\YURD.exe] C:\Windows\system32\YURD.exe
O4 - HKLM\..\Run: [\YUR8.exe] C:\Windows\system32\YUR8.exe
O4 - HKCU\..\Run: [Somefox] C:\DOCUME~1\Test\LOCALS~1\Temp\video127.cfg.exe
O4 - HKCU\..\Run: [QuickInstallPack] "C:\Documents and Settings\Test\Local Settings\Application Data\qip\QuickInstallPack.exe" /autorun
O4 - HKCU\..\Run: [\YUR13.exe] C:\Windows\system32\YUR13.exe
O4 - HKCU\..\Run: [\YUR14.exe] C:\Windows\system32\YUR14.exe
O4 - HKCU\..\Run: [\YUR15.exe] C:\Windows\system32\YUR15.exe
O4 - HKCU\..\Run: [\YUR16.exe] C:\Windows\system32\YUR16.exe
O4 - HKCU\..\Run: [ANTIVIRUS] C:\Program Files\VAV\vav.exe
O4 - HKCU\..\Run: [\YUR24.exe] C:\Windows\system32\YUR24.exe
O4 - HKCU\..\Run: [\YUR3.exe] C:\Windows\system32\YUR3.exe
O4 - HKCU\..\Run: [\YUR4.exe] C:\Windows\system32\YUR4.exe
O4 - HKCU\..\Run: [\YUR5.exe] C:\Windows\system32\YUR5.exe
O4 - HKCU\..\Run: [\YUR6.exe] C:\Windows\system32\YUR6.exe
O4 - HKCU\..\Run: [\YURB.exe] C:\Windows\system32\YURB.exe
O4 - HKCU\..\Run: [\YURC.exe] C:\Windows\system32\YURC.exe
O4 - HKCU\..\Run: [\YURD.exe] C:\Windows\system32\YURD.exe
O4 - HKCU\..\Run: [\YUR8.exe] C:\Windows\system32\YUR8.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{12A05A63-E42C-4A31-BD35-04A3AD4C992F}: NameServer = 217.17.85.1,217.17.85.2
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe

--
End of file - 4822 bytes

[Calorina]

That's what I wanted! But I need some time for a closer analysis of this HijackThis Log.

[calorina]

Hello Ula! And this is what I have found while analyzing your HiJackThis log. Please follow my instructions carefully:

1. When you share public-domain music, audio, images, documents, and software programs over the Internet be very attentive. As file sharing (P2P) can do a lot of harm to your PC. For more information on (P2P) open this link:
http://www.registrycleanerz.com/article/0246/p2p-file-sharing-be-ready-for-uncovered-dangers.html

2. Also you should know that dumprep 0 -k is related to memory dumps that are sent as a report to MS as part of their Error Reporting system. Still, if you need more information on this issue you may find it here:
http://www.registrycleanerz.com/article/0252/identifying-dumprep-0-k-related-errors-and-reading-the-small-memory-dump-files.html

3. Next, find and delete the HKLM reg keys. Use the following link to do this:
http://www.youtube.com/watch?v=eDGtxzjka_Y

4. Secure expert cleaner and Personal Antispy are really bad.

5. And you should urgently remove the hives from YUR1.exe to YUR24. As this is associated with the malware group trojan.vundo.